chg: [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques

clusters/o365-exchange-techniques.json

@@ -0,0 +1,115 @@
+{
+  "authors": [
+    "John Lambert",
+    "Alexandre Dulaunoy"
+  ],
+  "category": "guidelines",
+  "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaT",
+  "name": "o365-exchange-techniques",
+  "source": "Open Sources",
+  "type": "cloud-security",
+  "uuid": "44574c7e-b732-4466-a7be-ef363374013a",
+  "values": [
+    {
+      "description": "AAD - Dump users and groups with Azure AD",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "fab70361-329a-410a-9dc4-831ecd8df39f",
+      "value": "AAD - Dump users and groups with Azure AD"
+    },
+    {
+      "description": "O365 - Get Global Address List: MailSniper",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "21833216-1b8a-43a9-b51e-500c67a900a8",
+      "value": "O365 - Get Global Address List: MailSniper"
+    },
+    {
+      "description": "O365 - Find Open Mailboxes: MailSniper",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "9e3af2e1-90a6-4d69-ba82-cb0c99401713",
+      "value": "O365 - Find Open Mailboxes: MailSniper"
+    },
+    {
+      "description": "O365 - User account enumeration with ActiveSync",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "53361eef-39b0-4c46-a009-0b4e3a0e286a",
+      "value": "O365 - User account enumeration with ActiveSync"
+    },
+    {
+      "description": "End Point - Search host for Azure Credentials: SharpCloud",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "5c0c2b04-77e5-4f50-a0b8-206d7cc9946a",
+      "value": "End Point - Search host for Azure Credentials: SharpCloud"
+    },
+    {
+      "description": "On-Prem Exchange - Portal Recon",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "2cd547bf-b093-4dab-b9e5-5172049cbc0d",
+      "value": "On-Prem Exchange - Portal Recon"
+    },
+    {
+      "description": "On-Prem Exchange - Enumerate domain accounts: using Skype4B",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "651fdde4-09ed-48b7-9620-545d7dcec251",
+      "value": "On-Prem Exchange - Enumerate domain accounts: using Skype4B"
+    },
+    {
+      "description": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "008c46de-4667-4e40-9bea-74e91b6587fd",
+      "value": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange"
+    },
+    {
+      "description": "On-Prem Exchange - Enumerate domain accounts: FindPeople",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "435e9319-88ed-4555-be84-a5322dc997a4",
+      "value": "On-Prem Exchange - Enumerate domain accounts: FindPeople"
+    },
+    {
+      "description": "On-Prem Exchange - OWA version discovery",
+      "meta": {
+        "kill_chain": [
+          "tactics:Recon"
+        ]
+      },
+      "uuid": "f227caf6-9399-4ac3-bab4-010f66853abb",
+      "value": "On-Prem Exchange - OWA version discovery"
+    }
+  ],
+  "version": 1
+}

galaxies/o365-exchange-techniques.json

@@ -0,0 +1,18 @@
+{
+  "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC",
+  "icon": "map",
+  "kill_chain_order": {
+    "tactics": [
+      "Recon",
+      "Compromise",
+      "Persistence",
+      "Expansion",
+      "Actions on Intent"
+    ]
+  },
+  "name": "o365-exchange-techniques",
+  "namespace": "misp",
+  "type": "cloud-security",
+  "uuid": "44574c7e-b732-4466-a7be-ef363374013a",
+  "version": 1
+}